Abusing Heat to Hack an Air-Gapped Computer

Air-Gapped computers are entirely isolated from the network are said to be the most secure method of computing, new research shows the heat emitted from your computer can open channels to an entirely new wave of hacking.

According to research from the Cyber Security Research Center at Ben Gurion University in Israel, researchers can hack an air-gapped computers and steal data using only nearby heat emissions with the computers built-in thermal sensor.

What is an air-gapped machine? An air-gapped machine is a device that is entirely isolated from any outside networks, including the public internet or surrounding local networks. Air-gapped computers are used when the machine needs to stay secure regardless of the condition, a tactic many journalist working with NSA whistleblower Edward Snowden admitted to using.

Now how are researchers able to hack air-gapped machines when they are entirely isolated from any form of outside contact, cutting all network lines for digital or remote intrusion? Researchers would say only two words, heat emissions.

When heat from one computer is emitted and detected by a nearby computer, it opens a channel for hackers to attack the machine, allowing them to steal passwords or even instal malware.

Researchers Mordechai Guri and Matan Munitz discovered the method of attack and were overseen by a school professor, Yuval Elovici. The three plan to to publish a paper detailing their research soon, titling it “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations.”

Back in August 2014, the same three security researchers from the university had found a new way to hack air-gapped machines, using a method they dubbed Air-Hopper, which utilizes FM radio signals to steal data.

The same set of researchers have discovered a new method of attack, dubbed BitWhisper, an attack that allows hackers to hack into isolated machines utilizing only the heat exchanged between the two computers.

“BitWhisper is a demonstration for a covert bi-directional communication channel between two close by air-gapped computers communicating via heat. The method allows bridging the air-gap between the two physically adjacent and compromised computers using their heat emissions and built-in thermal sensors to communicate,” Dudu Mimran, the CTO of Cyber Security labs said in a blog post Monday.

To connect the two entirely separate machines, the attack relies on something the paper details as “thermal pings,” or the mixture of the two networks via proximity and heat. Which helps open a bridge between the public network and internal network.

“At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses,” the report said. Once the airgap has been briged, attackers can then execute and handful of tasks, including stealing security keys, installing malware, sending and receiving commands or even spreading malware across parts of the network.

“BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages, and leaking short chunks of sensitive data such as passwords,” the paper warns.

To demonstrate the attack in a real world scenario, researchers were able send a command from one airgapped machine to another, with the intent to reposition and fire a small toy missile.

In the video demonstration the researchers position the computers next to each other to determine how quickly data travels between the two.

The thermal sensors researchers utilize in the video are pre-installed within computers to trigger internal fans for cooling, to stop the machines components such as the CPU or GPU from overheating and damaging the hardware. BitWhisper utilizes these senors to send commands to the air-gapped machine or for data exfiltration.

To further their researcher, the lab ran the machines through rigorous sets of calculations in order to get the machine to emit additional heat. From there, the researchers were able to identify which of the computers’ temperature sensors were affected by the amount of heat, which could then in turn be abused. The three were then left with a complex attack environment that is dependable upon the various parameters.

Though the complex attack is a new step in hacking isolated machines, there are a few limitations.

The proof-of-concept attack requires both systems to already be compromised with malware. A huge setback as air-gapped machines are meant to be isolated from the start.

The attack only allows for 8 bits of data to be transmitted each hour, which is sufficient enough for am attacker wishing to steal data or secret keys.

The attack only works if the air-gapped machine is within 40 centimeters (roughly 15 inches) from the attackers machine.

The attack requires no additional hardware or extra components, just that both machines are infected with malware. The attack can be successfully executed as long as one computer is producing heat while another is monitoring that heat.

The only real prevention method for the attack at this time is to keep computers far apart from each other, which researchers note is impractical.

“Keeping minimal distances between computers is not practical” the researchers said, continuing, “and obviously, managing physical distances between different networks has its complexity in terms of space and administration overheads that increases with every air-gap network used.”

Though the high-tech and complex attack is an innovation in hacking isolated machines, the amount of environmental factors needed in the attack make it extremely hard to execute. Researchers believe the attack method can be abused across any number of electronics, not only airgapped machines.